diff options
author | wm4 <wm4@nowhere> | 2019-09-21 21:59:09 +0200 |
---|---|---|
committer | wm4 <wm4@nowhere> | 2019-09-21 21:59:09 +0200 |
commit | 5858e3cdbd6fbae3ed80366912dd5df0af4fa126 (patch) | |
tree | 164a82cede5b20d12f72af823600af3f8a6486c0 | |
parent | fc7decde738378b0ea5ecc1163c6b8d65a73672d (diff) | |
download | mpv-5858e3cdbd6fbae3ed80366912dd5df0af4fa126.tar.bz2 mpv-5858e3cdbd6fbae3ed80366912dd5df0af4fa126.tar.xz |
audio: fix use-after-free with fuzzed file
reinit_audio_filters_and_output() can fully shutdown the audio chain on
failure. Specifically, it will deallocate mpctx->ao_chain. The value of
that field was cached in ao_c. The code after the call did not account
that the audio chain can be shutdown, and used the stale ao_c value.
Fixes: #6808
-rw-r--r-- | player/audio.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/player/audio.c b/player/audio.c index 881d74a904..22a87c91eb 100644 --- a/player/audio.c +++ b/player/audio.c @@ -813,6 +813,8 @@ void fill_audio_out_buffers(struct MPContext *mpctx) // Probe the initial audio format. mp_pin_out_request_data(ao_c->filter->f->pins[1]); reinit_audio_filters_and_output(mpctx); + if (!mpctx->ao_chain) + return; if (ao_c->filter->got_output_eof && mpctx->audio_status != STATUS_EOF) { |